At this time, DoH capabilities are only available on macOS, Windows, and Linux Client platforms.
Twingate provides native DNS-over-HTTPS (DoH) capabilities for any users in your Twingate network running macOS, Windows, or Linux Clients. (Regardless of platform, headless clients running in service account mode will never use DoH.)
Because Twingate operates at the network level on a user’s device, Twingate DoH will encrypt all DNS traffic regardless of the originating application with no configuration changes required other than running the Twingate Client. You can access DoH configuration settings from the Secure DNS page under Settings in the Admin console.
The following options are available:
- Toggle whether DoH is enabled for your entire account. DoH is disabled by default.
- Set the DoH resolver. We offer a number of pre-configured public resolvers as options, and you may also use a custom DoH resolver.
- Determine the resolver fallback behavior. You may either enforce strict usage of the DoH resolver, including when it is unavailable, or allow fallback to regular DNS if name resolution fails, or the DoH resolver is unavailable.
- Set exceptions for groups that should not have DoH enabled. Any number of exception groups may be chosen.
How does DoH behave when enabled?
When DoH is enabled, the client will behave in the following way:
1. Any time a user is logged into the client, the client will receive a DoH configuration from the server.
- If DoH is enabled for your account, and the user is not a member of a DoH exception group, the client will enable DoH.
- Otherwise, DoH will be disabled.
2. Once the client receives its configuration and enables DoH, any DNS A queries on the user’s device that are not destined for a Twingate Resource will be encapsulated in a DoH request and sent to the configured DoH resolver.
- Note that AAAA (IPv6) queries are not supported at this time, and local resolution will fallback to IPv4 before being encapsulated in a DoH request.
3. Depending on the configured fallback method, the following behavior applies:
- Strict mode will never fall back to regular DNS requests. If the DoH resolver is not available, all DNS requests will fail. This also means that private DNS requests, which cannot be resolved by the configured DoH resolver, may also fail.
- Automatic mode will fall back to regular DNS requests if either the DoH resolver is unavailable or name lookup fails at the configured DoH resolver.
If the Twingate Client is configured to start at login, DoH protection will be enabled as soon as the Twingate Client application starts after machine boot.
DoH Resolver Configuration
You can select from a number of trusted public DoH resolvers when configuring DoH.
You may also choose a custom resolver if you prefer to use a different public DoH resolver, or if your organization uses a private DoH resolver configuration. This option is most common when using a DNS filtering service that you wish to enable for users via Twingate.
When setting a custom DoH resolver, we do not check if the address is a valid DoH resolver beyond being an HTTPS endpoint. Misconfiguring the URL can hence result in DNS queries failing for all users if DoH is also set to Strict mode.
The Fallback Method determines the behavior when either the DoH resolver itself is unavailable, or an address cannot be resolved by the DoH resolver. For example, private DNS address resolution is not possible from a public DoH resolver.
- When set to Strict, the Client will never fall back to regular DNS requests, even if the DoH resolver is not available.
- When set to Automatic, the Client will fall back to regular DNS requests when either the DoH resolver is not available or an address lookup fails.
The default fallback method is Automatic.
Exceptions to DoH configuration may be also be set. Any groups added to the exception list will not receive a DoH configuration and the Twingate Client will use public DNS as configured on the user’s device. If a user belongs to at least one group that is part of the exception list, their Twingate Client will use public DNS as configured on their device.
Last updated 8 hours ago